RFID Virus dismissed

March 30, 2006

From BoingBoing: Ben Giddings of ThingMagic, who is only speaking as an "annoyed engineer" not a ThingMagic representative, says this is all a bunch of hooey:

The "RFID Virus" is absolutely laughable.

If you read the "paper", here's what they do:

1. Construct an RFID middleware system, intentionally design it to have some really obvious security flaws, ones that even most basic web developers know to avoid, namely the two security no-nos of implicitly trusting external data, and treating data as code.

2. Knowing the exact nature of those two obvious security flaws, including the exact implementation of the flaws, send malicious data that exploits those flaws.

This is so laughably stupid, but somehow it got picked up by the news outlets because it contains buzzwords: "RFID" and "Virus".

Really, what they're doing is the equivalent of:

1. Designing a barcode system to automatically self-destruct if it ever reads a barcode of , for no reason other than to prove it's dangerous.2. Broadcasting to the world that the barcode system will self-destruct if it ever reads a barcode of .3. Intentionally reading a barcode of .4. Claiming that barcodes are dangerous.

RFID Tags, just like barcodes are just data. Nothing more than data. If you intentionally design a system to be vulnerable to certain data, then intentionally expose the system to that data, then yup, you'll have a problem.

I'm surprised the music industry hasn't tried this with MP3s. Design a MP3 player that will format your hard drive if it sees a certain often-downloaded song, download that song, show the drive getting formatted, then claim that MP3s are dangerous because they might format your hard drive.